| Inseob Kim | e138997 | 2021-07-19 07:48:34 +0000 | [diff] [blame] | 1 | # zipfuse is a FUSE daemon running in the microdroid. It mounts |
| 2 | # /dev/block/by-name/microdroid-apk whose content is from an apk file on |
| 3 | # /mnt/apk so that the entries in the apk file are seen as regular files. See |
| 4 | # packages/modules/Virtualization/zipfuse. |
| 5 | |
| 6 | type zipfuse, domain, coredomain; |
| 7 | type zipfuse_exec, exec_type, file_type, system_file_type; |
| 8 | |
| Jooyung Han | 53c773a | 2021-09-09 18:21:47 +0900 | [diff] [blame] | 9 | # zipfuse is using bootstrap bionic |
| 10 | allow zipfuse system_bootstrap_lib_file:dir r_dir_perms; |
| 11 | allow zipfuse system_bootstrap_lib_file:file { execute read open getattr map }; |
| 12 | |
| Inseob Kim | e138997 | 2021-07-19 07:48:34 +0000 | [diff] [blame] | 13 | # allow basic rules to implement FUSE |
| 14 | allow zipfuse fuse_device:chr_file rw_file_perms; |
| 15 | allow zipfuse self:global_capability_class_set sys_admin; |
| 16 | |
| 17 | # allow access to /dev/vd* block device files and also access to the symlinks |
| 18 | # /dev/block/by-name/* |
| 19 | allow zipfuse block_device:dir r_dir_perms; |
| 20 | allow zipfuse block_device:lnk_file r_file_perms; |
| 21 | |
| 22 | # /dev/block/by-name/microdroid-apk is mapped to /dev/block/dm-* |
| 23 | allow zipfuse dm_device:blk_file r_file_perms; |
| 24 | |
| 25 | # allow mounting on /mnt/apk |
| 26 | allow zipfuse tmpfs:dir mounton; |
| 27 | |
| 28 | # allow mounting with fscontext=u:object_r:zipfusefs:s0 |
| 29 | type zipfusefs, fs_type, contextmount_type; |
| 30 | allow zipfuse fuse:filesystem relabelfrom; |
| 31 | allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto }; |
| 32 | |
| 33 | # allow mounting with context=u:object_r:system_file:s0 so that files provided |
| 34 | # by zipfuse are treated the same as the other files in /system or /apex |
| 35 | allow system_file zipfusefs:filesystem associate; |
| Inseob Kim | 2df19cb | 2021-11-25 11:25:44 +0900 | [diff] [blame] | 36 | |
| 37 | # allow zipfuse to log to the kernel |
| 38 | allow zipfuse kmsg_device:chr_file w_file_perms; |
| 39 | |
| Inseob Kim | 8565b96 | 2021-11-29 14:56:46 +0900 | [diff] [blame^] | 40 | # allow zipfuse to handle extra apks |
| 41 | r_dir_file(zipfuse, extra_apk_file) |
| 42 | allow zipfuse extra_apk_file:dir mounton; |
| 43 | |
| Inseob Kim | 2df19cb | 2021-11-25 11:25:44 +0900 | [diff] [blame] | 44 | # zipfuse is forked from microdroid_manager |
| 45 | # TODO(inseob): remove this |
| 46 | allow zipfuse microdroid_manager:fd use; |
| 47 | |
| 48 | # Only microdroid_manager can run zipfuse |
| 49 | neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition }; |
| Inseob Kim | 8565b96 | 2021-11-29 14:56:46 +0900 | [diff] [blame^] | 50 | |
| 51 | # only zipfuse can mount on extra_apk_file |
| 52 | neverallow { domain -zipfuse } extra_apk_file:dir mounton; |